Case Study: A Cryptomining Attack — With an Assist From Advanced Malware Techniques

Share and earn Cybytes
Facebook Twitter LinkedIn Email

In Carbon Black’s Quarterly Incident Response Threat Report (QIRTR), some of the world’s leading incident response (IR) professionals reported seeing an uptick in lateral movement, counter incident response, and island-hopping attacks from motivated nation-states. In the case study below, Kroll notes how it uses Cb Response to remediate a cryptomining attack.

One day in early summer, a healthcare company noticed something troubling: An abnormally high volume of network traffic was inflicting downtime at several store locations. At first they thought it was an external attack — like a distributed denial of service — and legacy antivirus was unable to identify the threat. The finding from their ISP was even more troubling: the traffic was coming from the inside.

At this point they called in Kroll, which immediately installed Cb Response to gain visibility into the network. They saw that infected machines were causing a “traffic jam” because they were continuously scanning to find others to infect. Kroll also identified malware known as WannaMine trying to enlist as much computing power as possible to mine cryptocurrency.

Kroll has a long history working with these sorts of attacks. It used Carbon Black to run relevant queries, cross-check systems for suspicious behaviors and search running processes for cryptomining algorithms. Rather than imaging all 500 systems in the network, it could prioritize — using Carbon Black to identify the systems most likely to have permitted the malware’s initial entry. The data told Kroll the attacker had embedded code within PowerShell commands to obtain credentials using a variant of Mimikatz, run the miner and then spread itself via the WMI and SMB protocols. Two persistence mechanisms were also used: a WMI event consumer and scheduled tasks. The attackers might have been low-level cryptominers, but they were using high-level malware techniques made available, in part, by nation-state actors who employ standard Windows tools and protocols to evade traditional security defenses.

To remediate and recover from this attack, Kroll used Cb Live Response to surgically terminate the malicious PowerShell processes and remove the persistence mechanisms. Scripting against the Cb Live Response API meant that Kroll could do this across all affected systems quickly. Within days, as the Carbon Black deployment was completed, Kroll’s IR team restored network performance. The traffic let up and the coast was clear for business to return to normal.

Interested in learning more how you can put incident response best practices into use? At Cb Connect 2018 you’ll have the opportunity to connect with other like-minded security users and build your resume while you become Carbon Black Certified. Becoming Carbon Black Certified for Cb Defense, Cb Protection and/or Cb Response gives you the opportunity to: Earn continuing professional education (CPE) credits through (ISC)2,  Strengthen your knowledge of the product, Continue to develop your skills in information. Learn more here.

The post Case Study: A Cryptomining Attack — With an Assist From Advanced Malware Techniques appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?